Index not being created in elasticsearch


(Pravin) #1

Simple ELK setup

I have created the GROK expression for IIB server logs and it works fine.

Only problem is the output filter is not creating an index on elasticsearch its always defaults to logstash-* index

My plugin below this one does not create index
input { stdin { } }
filter {
grok {
match => {"message" => "^%{SYSLOGTIMESTAMP:timestamp} %{HOSTNAME:hostname} %{USERNAME:user}?:%{LOGLEVEL:log_level}?|%{LOGLEVEL:log_level} %{PROG:program}[%{POSINT:pid}]?: %{CISCO_REASON:IIB_Version} (%{NOTSPACE:Broker}.%{NOTSPACE:Execution_Grp}) %{SYSLOG5424SD:Thread} (%{GREEDYDATA:msg}) %{NOTSPACE:errrCode}?: %{GREEDYDATA:message}"}
}

}
output {

elasticsearch {
hosts => ["127.0.0.1:9200"]
action => "index"
index => "Broker-%{+YYYY.MM.dd}"

}
stdout { codec => rubydebug }

}

This one works fine
input { stdin { } }
filter {
grok {
match => {"message" => "^%{SYSLOGTIMESTAMP:timestamp} %{HOSTNAME:hostname} %{USERNAME:user}?:%{LOGLEVEL:log_level}?|%{LOGLEVEL:log_level} %{PROG:program}[%{POSINT:pid}]?: %{CISCO_REASON:IIB_Version} (%{NOTSPACE:Broker}.%{NOTSPACE:Execution_Grp}) %{SYSLOG5424SD:Thread} (%{GREEDYDATA:msg}) %{NOTSPACE:errrCode}?: %{GREEDYDATA:message}"}
}

}
output {

elasticsearch {
hosts => ["127.0.0.1:9200"]
}
stdout { codec => rubydebug }

}

Here is where I am stuck now.


(Pravin) #2

Resolved cannot use uppercase in index name.


(system) #3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.